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Abstract —Items shared through Social Media may affect more than one user’s privacy — e.g., photos that depict multiple users, 
comments that mention multiple users, events in which multiple users are invited, etc. The lack of multi-party privacy management 
support in current mainstream Social Media infrastructures makes users unable to appropriately control to whom these items are actually 
shared or not. Computational mechanisms that are able to merge the privacy preferences of multiple users into a single policy for an 
item can help solve this problem. However, merging multiple users' privacy preferences is not an easy task, because privacy preferences 
may conflict, so methods to resolve conflicts are needed. Moreover, these methods need to consider how users’ would actually reach an 
agreement about a solution to the conflict in order to propose solutions that can be acceptable by all of the users affected by the item to 
be shared. Current approaches are either too demanding or only consider fixed ways of aggregating privacy preferences. In this paper, 
we propose the first computational mechanism to resolve conflicts for multi-party privacy management in Social Media that is able to 
adapt to different situations by modelling the concessions that users make to reach a solution to the conflicts. We also present results 
of a user study in which our proposed mechanism outperformed other existing approaches in terms of how many times each approach 
matched users’ behaviour. 
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1 Introduction 

UNDREDS of billions of items that are uploaded to 
Social Media are co-owned by multiple users |1], 
yet only the user that uploads the item is allowed to 
set its privacy settings (i.e., who can access the item). 
This is a massive and serious problem as users' pri¬ 
vacy preferences for co-owned items usually conflict, so 
applying the preferences of only one party risks such 
items being shared with undesired recipients, which 
can lead to privacy violations with severe consequences 
(e.g., users losing their jobs, being cyberstalked, etc.) |2|. 
Examples of items include photos that depict multiple 
people, comments that mention multiple users, events in 
which multiple users are invited, etc. Multi-party privacy 
management is, therefore, of crucial importance for users 
to appropriately preserve their privacy in Social Media. 

There is recent evidence that users very often negoti¬ 
ate collaboratively to achieve an agreement on privacy 
settings for co-owned information in Social Media [3], 
Q. In particular, users are known to be generally open 
to accommodate other users' preferences, and they are 
willing to make some concessions to reach an agree¬ 
ment depending on the specific situation |4|. However, 
current Social Media privacy controls solve this kind of 
situations by only applying the sharing preferences of 
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the party that uploads the item, so users are forced to 
negotiate manually using other means such as e-mail, 
SMSs, phone calls, etc. |5| — e.g., Alice and Bob may 
exchange some e-mails to discuss whether or not they 
actually share their photo with Charlie. The problem 
with this is that negotiating manually all the conflicts 
that appear in the everyday life may be time-consuming 
because of the high number of possible shared items and 
the high number of possible accessors (or targets) to be 
considered by users |2j; e.g., a single average user in 
Facebook has more than 140 friends and uploads more 
than 22 photos |6j. 

Computational mechanisms that can automate the ne¬ 
gotiation process have been identified as one of the 
biggest gaps in privacy management in social media j3j, 
fl, @, \% (§J. The main challenge is to propose solutions 
that can be accepted most of the time by all the users 
involved in an item (e.g., all users depicted in a photo), 
so that users are forced to negotiate manually as little 
as possible, thus minimising the burden on the user to 
resolve multi-party privacy conflicts. 

Very recent related literature proposed mechanisms to 
resolve multi-party privacy conflicts in social media |2|, 
(9), jT0| , [ill , (12), |l3l . Some of them (9), (To) need too 
much human intervention during the conflict resolution 
process, by requiring users to solve the conflicts manually 
or close to manually, e.g., participating in difficult-to- 
comprehend auctions for each and every co-owned item. 
Other approaches to resolve multi-party privacy conflicts 
are more automated |2], 111 ], 112], but they only consider 
one fixed way of aggregating user's privacy preferences 
(e.g., veto voting |2|) without considering how users 
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would actually achieve compromise and the concessions 
they might be willing to make to achieve it depending 
on the specific situation. Only |13j considers more than 
one way of aggregating users' privacy preferences, but 
the user that uploads the item chooses the aggregation 
method to be applied, which becomes a unilateral deci¬ 
sion without considering the preferences of the others. 

In this paper, we present the first computational mech¬ 
anism for social media that, given the individual privacy 
preferences of each user involved in an item, is able to 
tind and resolve conflicts by applying a different conflict 
resolution method based on the concessions users' may 
be willing to make in different situations. We also present 
a user study comparing our computational mechanism 
of conflict resolution and other previous approaches to 
what users would do themselves manually in a number 
of situations. The results obtained suggest our proposed 
mechanism significantly outperformed other previously 
proposed approaches in terms of the number of times it 
matched participants' behaviour in the study. 


2 Background 

Assume a finite set of users U, where a finite subset of 
negotiating users N C U, negotiate whether they should 
grant a finite subset of target user^J T C U access to a 
particular co-owned item. For instance, Alice and Bob 
(negotiating users) negotiate about whether they should 
grant Charlie (target user) access to a photo of them 
depicted together. For simplicity and without loss of 
generality, we will consider a negotiation for one item 
over the course of this paper — e.g., a photo that depicts 
the negotiating users together — and hence, we do not 
include any additional notation for the item in question. 


2.1 Individual Privacy Preferences 

Negotiating users have their own individual privacy 
preferences about the item — i.e., to whom of their 
online friends they would like to share the item if 
they were to decide it unilaterally. In this paper, we 
assume negotiating users specify their individual privacy 
preferences using group-based access control, which is 
nowadays mainstream in Social Media (e.g., Facebook 
lists or Google+ circles), to highlight the practical ap¬ 
plicability of our proposed approach. However, other 
access control approaches for Social Media could also be 
used in conjunction with our proposed mechanism — 
e.g., relationship-based access control 1141, |15], |16| as 
already shown in |17|, or (semi-)automated approaches 
like 1181, 1191, |20|. Note also that our approach does not 
necessarily neecl users to specify their individual privacy 
preferences for each and every item separately, they 


could also specify the same preferences for collections 
or categories of items for convenience according to the 
access control model being used —e.g., Facebook users 
can specify preferences for a whole photo album at once. 

Mainstream Social Media (Facebook, Google+, etc.) 
have predefined groups and also allow users to de¬ 
fine their own groups, each of which is composed of 
a set of friends. Access to items (photos, etc.) can be 
granted / denied to groups, individuals or both (e.g., all 
Friends have access to a photo except Charlie). We 
formally define a group G C U as a set of users, and 
the set of all groups defined by a particular user u as 
G u = {Gi,...,G;}, so that PIgcs G = 0. For instance, 
Alice may have defined the following groups GAlice = 
{CloseFriends, Family, Coworkers} to organise her 
online friends. 

Definition 1: A privacy policy P is a tuple P = ( A,E ), 
where A is the set of groups granted access and ECU 
is a set of individual user exceptions. 

The semantics of a group-based privacy policy in 
most Social Media are: P.A are the groups that are 
authorised (or granted) access to the item; and P.E are 
a set of individual exceptions — either users in the 
authorised groups who are denied access individually 
or users who are granted access individually because 
they are in the unauthorised groups (groups not ex¬ 
plicitly granted access). Continuing the example above, 
Alice defines her individual privacy policy for an item 
as PAlice = ({CloseFriends}, {Charlie}), i.e., Alice 
wants to share the item only with CloseFriends but 
excluding Charlie. 

2.2 Problem Statement 

Given a set of negotiating users N = {ni,... ,rik} who 
co-own an item — i.e., there is one uploader £ N who 
uploads the item to social media and the rest in N are 
users affected by the item; and their individual (possibly 
conflicting) privacy policies P ni ,..., P n , for that item; 
how can the negotiating users agree on with whom, from 
the set of the target users T = {fi,..., t m }, the item 
should be shared? 

This problem can be decomposed into: 

1) Given the set of individual privacy policies 
P rai ,..., P nk of each negotiating user for the item, 
how can we identify if at least two policies have 
contradictory decisions — or conflicts — about 
whether or not granting target users T access to 
the item. 

2) If conflicts are detected, how can we propose a 
solution to the conflicts found that respects as 
much as possible the preferences of negotiating 
users N. 


1. We defined the set of target users as a subset of the users to remain 
as general as possible; i.e., without forcing it to satisfy a particular 
property. However, the set of target users could be further qualified as a 
particular subset of users satisfying any property without changing the 
subsequent formalisation; e.g., the set of target users could be defined 
as the union of all of the negotiating users' online friends. 


3 Mechanism Overview 

We propose the use of a mediator that detects conflicts 
and suggests a possible solution to them. For instance, 
in most Social Media infrastructures, such as Facebook, 
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Twitter, Google+ and the like, this mediator could be 
integrated as the back-end of Social Media privacy con¬ 
trols' interface; or it could be implemented as a Social 
Media application — such as a Facebook app — that 
works as an interface to the privacy controls of the 
underlying Social Media infrastructure. Figure [T] depicts 
an overview of the mechanism proposed. In a nutshell, 
the process the mediator follows is: 

1) The mediator inspects the individual privacy poli¬ 
cies of all users for the item and flags all the con¬ 
flicts found (as described in Section |4j. Basically, 
it looks at whether individual privacy policies 
suggest contradictory access control decisions for 
the same target user. If conflicts are found the item 
is not shared preventively. 

2) The mediator proposes a solution for each conflict 
found. To this aim, the mediator estimates (as 
described in Section [5j how willing each nego¬ 
tiating user may be to concede by considering: 
her individual privacy preferences, how sensitive 
the particular item is for her, and the relative 
importance of the conflicting target users for her. 



Fig. 1. Mechanism Overview 


If all users accept the solution proposed, it will be 
applied. Otherwise, users will need to turn into a man¬ 
ual negotiation by other means. Note that different ap¬ 
proaches could be used to communicate the suggested 
solutions to users and getting back their feedback, as 
discussed in Section 7. 


4 Conflict Detection 

We need a way to compare the individual privacy pref¬ 
erences of each negotiating user in order to detect con¬ 
flicts among them. Flowever, each user is likely to have 
defined different groups of users, so privacy policies 
from different users may not be directly comparable. 
To compare privacy policies from different negotiating 
users for the same item, we consider the effects that 
each particular privacy policy has on the set of target 
users T. Privacy policies dictate a particular action to 
be performed when a user in T tries to access the item. 
In particular, we assume that the available actions are 
either 0 (denying access) or 1 (granting access). The 
action to perform according to a given privacy policy 
is determined as follow^] 

2. Note that the definition of this function will vary according to the 
access control model used, but it will be defined in a similar way. That 
is, the idea is to be able to know, given a target user t, whether the 
privacy policy will grant/deny t access to the item regardless of the 
access control model being used. 


Definition 2: Given an user n £ N, her groups Q n , her 
individual privacy policy P n = (A. E ), and a user t G T; 
we define the action function as: 

(1 if 3G G Q n : t G G A G G P n .A A t f P n .E 
act(P n , t) = < 1 if 3G e Q n : t G G A G f P n .A Ate P n .E 
y 0 otherwise 

We also consider so-called action vectors v e {0,1} 
i.e., complete assignments of actions to all users in T, 
such that v [f] denotes the action for user t e T. When a 
privacy policy is applied to the set of users T, it produces 
such an action vector, where v[t] = act(P,t)- 

If all the action vectors of all negotiating users assign 
the same action for all target users, then there is no 
conflict. Otherwise, there are at least two action vectors 
that assign different actions to the same target user, and 
there is a conflict. In other words, a conflict arises when 
some negotiating users would like to grant access to one 
target user while the others would not. Formally: 

Definition 3 (conflict): Given a set of negotiating users 
N and a set of target users T; a target user t A 7’ is 
said to be in conflict iff 3a, b £ N with individual privacy 
policies P a and Pf, respectively, so that v a [t\ -f Vb[t\. 

Further, we say that the set of users in conflict C C 7’, 
is the set that contains all the target users that are in 
conflict. 


Algorithm 1 Conflict Detection 

Input: N, P„ i,... ,Pn [N[ , T 

Output: C 
1: for all n g N do 
2: for all t S T do 

3: v n [t] <- 0 

4: for all G e P„.A do 

5: if S G, u = t then 

6: v n [t] <— 1 

7: end if 

8: end for 

9: end for 

10: for all e e P n -E do 

11: « n [e] <- -■!) n [e] 

12: end for 

13: end for 

14: C <- 0 

15: for all t g T do 

16: Take aEiV 

17: for all b £ IV \ {a} do 

18: if v a [t\ then 

19: C^CU {*} 

20: end if 

21: end for 

22: end for 


The mediator runs Algorithm [T] to detect conflicts by 
harvesting the users in conflict set C. The complexity of 
the algorithm is polynomial and it mainly depends on the 
number of negotiating users, target users, groups granted 
access, and users in each group granted access. In the 
worst case, the complexity is 0(\U\ 3 ), when all users U 
are negotiators and targets; all groups of all negotiators 
are granted access; and, for each negotiator, there are as 
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many groups as users or all users are in one ground If 
Algorithm [l] does not detect any conflict — i.e., C =V, it 
will return to the users without changes to their preferred 
privacy policies. If Algorithm H] detects conflicts, the 
mediator will then run the conflict resolution module, 
which is described in the following section. 

Example 1: Assume a set of users U = {Alice, Bob, 
Charlie, Dan, Eve, Frank}. Negotiating users N = 
{Alice,Bob} are in the process of deciding to which 
target users T = {Charlie, Dan, Eve, Frank} they 
grant access to a photo in which both of them 
are depicted. Negotiating users defined the follow¬ 
ing groups: Alice defined f/Aiice = {MyFriends} so 
that MyFriends = {Charlie, Dan, Eve}; and Bob 
defined t/ Bob = {CloseFriends,Family} so that 
CloseFriends = {Charlie,Eve} and Family = 
{Dan, Frank}. Now, assume that negotiating users have 
the following individual privacy policies for the photo: 
Alice has P A i ice = ({MyFriends}, {Eve}) so that 
thiice = (1,1, 0,0) — i.e., only Charlie and Dan would 
be granted access to the photo; and Bob has P Bob = 
({CloseFriends, Family}, 0) so that i; Bob = (1,1,1,1) 
— i.e., all target users Charlie, Dan, Eve and Frank 
would be granted access to the photo. As iiAiice[ Eve ] 7^ 
t>Bob[ Ev e] and ihiice [Frank] WoF [Frank], the set of 
users in conflict is C = {Eve, Frank}. 

5 Conflict Resolution 

When conflicts are detected, the mediator suggests a 
solution according to the following principles: 

• Principle 1: An item should not be shared if it is 
detrimental to one of the users involved — i.e., 
users refrain from sharing particular items because 
of potential privacy breaches |2T| | and other users 
allow that as they do not want to cause any delib¬ 
erate harm to others ©, ©. 

• Principle 2: If an item is not detrimental to any of 

the users involved and there is any user for whom 
sharing is important, the item should be shared 
— i.e., users are known to accommodate others' 
preferences a @.,§ , . . 

• Principle 3: For the rest of cases, the solution 
should be consistent with the majority of all users' 
individual preferences — i.e., when users do not 
mind much about the final output |;3|, |4j, [51. 

We shall now describe the framework to model these 
principles and Appendi>|A| shows the proofs that the 
framework follows the principles above. In a nutshell, 
the mediator computes a solution to the conflicts as 
detailed in Section 5.3, based on the three principles 
above, which are operationalised as concession rules as 
detailed in Section 5.2. Concessions rules are in turn 
instantiated based on the preferred action of each user for 
the conflict (dictated by each user's individual privacy 
policy) as well as an estimated ivillingness to change that 
action (detailed in Section 5.1). 

3. Recall groups are disjoint. Otherwise, the complexity is C?(|t/| 4 ). 


5.1 Estimating the Willingness to change an action 

In order to find a solution to the conflict that can be 
acceptable by all negotiating users, it is key to account for 
how important is for each negotiating user to grant/ deny 
access to the conflicting target user. In particular, the 
mediator estimates how ivilling a user would be to 
change the action (granting/denying) she prefers for a 
target agent in order to solve the conflict based on two 
main factors: the sensitivity of the item and the relative 
importance of the conflicting target user. 


5.1.1 Estimating Item Sensitivity 

If a user feels that an item is very sensitive for herJ^J she 
will be less willing to accept sharing it than if the item 
is not sensitive for her fl2lj, 1221. One way of eliciting 
item sensitivity would be to ask the user directly, but 
this would increase the burden on the user. Instead, the 
mediator estimates how sensitive an item is for a user 
based on how strict is her individual privacy policy for 
the item [ 191, so that the stricter the privacy policy for 
the item the more sensitive it will be. Intuitively, the 
lower the number of friends granted access, the stricter 
the privacy policy, hence, the more sensitive the item is. 
Moreover, not all friends are the same; i.e., users may feel 
closer to some friends than others and friends may be 
in different groups representing different social contexts. 
Thus, both the group and the strength of each relation¬ 
ship are considered when estimating the strictness of 
privacy policies and, therefore, the sensitivity of items. 

The mediator can use any of the existing tools to 
automatically obtain relationship strength (or tie strength) 
values for all the user's friends for particular Social 
Media infrastructures such as Facebook 1231, |24l| and 


Twitter 25 ] with minimal user intervention. Even if the 
mediator would not be able to use these tools, users 
could be asked to self-report their tie strength to their 
friends, which would obviously mean more burden on 
the users but would still be possible. Whatever the pro¬ 
cedure being used, the mediator just assumes that the tie 
strength value assigned for each pair of friends a and b is 
given by a function r(a, b), so that r : U x U —> {0,..., 5}, 
where S is the maximum positive integer value in the tie 
strength scale usecQ 

Based on these values, the mediator considers how 
strict is a user's individual privacy policy as an estimate 
of the sensitivity of an item by calculating the minimum 
tie strength needed in each group to have access to the 
item and averaging it across groups. That is, if a privacy 
policy only grants users with close relationships (i.e., 
friends with high tie strength values) access to an item. 


4. Note that we particularly stress that an item is sensitive for 
someone. This is because the same item may be seen as having different 
sensitivity by different people. 

5. The maximum tie strength value <5 depends on the tool used. For 
example, in Fogues et al. |23| <5 = 5; i.e., six levels of tie strength, which 
would map to, for instance, the friend relationship as: 0-no relationship, 
1-acquaintance, 2-distant friend, 3-friend, 4-close friend, 5-best friend. 
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then the item will be estimated as sensitive, since the 
privacy policy is very strict (i.e., the average minimum tie 
strength across groups to have access to the item is very 
high). On the contrary, if a privacy policy grants users 
with low tie strengths across groups, then the item will 
be estimated as less sensitive, since the privacy policy is 
less strict. 

Definition 4: Given a user n £ N, her groups Q n , 
and her individual privacy policy P n for an item, the 
sensitivity of the item for n is estimated as: 


S n — 


Gca, 


r„(G) 


where T n (G) is the strictness of the privacy policy in 
group G, defined as the minimum tie strength needed in 
group G to have access to the item: 


Tn{G) = min / (n, t) 


and f(n,t) is based on the tie strength between users 
n and t. However, this function considers differently 
situations where t is given access and situations where t 
is denied access. In particular, if user t is granted access, 
then function / returns the tie strength between users n 
and t. On the contrary, if user t is denied access, then 
this user must not be considered when determining the 
policy strictness for the group and function / returns the 
maximum tie strength value (recall that T n (G) is defined 
as the minimum value returned by function / for all 
users in a group). More formally, f(n,t ) is defined as 
follows: 

(r(n,t) iff act(P n ,t) = 1 
n ’ iff act(P n ,t) = 0 


conflicting user considering both the tie strength with 
this user in general and within the particular group (rela¬ 
tionship type) she belongs to. In particular, the mediator 
estimates the relative importance a conflicting target user 
has for a negotiating user as the difference between the 
tie strength with the conflicting user and the strictness 
of the policy for the group the conflicting user belongs 
to. If the conflicting target user does not belong to any 
group of the negotiator; then the relative importance 
is estimated considering the item sensitivity instead as 
there is no group information. 

Definition 5: Given a user n £ N, her groups Q n , and 
a conflicting user c £ C, the relative importance of c for 
n is estimated as follows: 

(\T n (G)- T (n,c)\ if 3 Geg n :c£G 
” \| S n — r(n, c) | otherwise 

For instance, assume Alice would like to share 
with all her friends —i.e., TAUce(F riends) = 1 — but 
not with Charlie, who is close friend of her —i.e., 
r (Alice, Charlie) = 5. The relative importance would be 
calculated as IAUce(Charlie) =| 1 — 5 |= 4, which means 
that the action Alice prefers for Charlie is quite important 
to her; e.g., Alice could be creating an event in which she 
invites all her friends except Charlie because the event is 
a surprise for Charlie's birthday, so sharing with Charlie 
would mean ruining the surprise party. In the very same 
way, if Alice would like to share an item only with 
her best friend —i.e., TAUce(F riends) = 5, the relative 
importance of denying access to an acquaintance would 
be high too —i.e., if Peter is an acquaintance of Alice such 
that t (Alice, Peter) = 1, then iAUce(Prter) =| 5 — 1 |= 4. 


5.1.2 Estimating the relative importance of the conflict 
Now the focus is on the particular conflicting target user 
— i.e., the target user for which different negotiating 
users prefer a different action (denying/granting access 
to the item). The mediator estimates how important a con¬ 
flicting target user is for a negotiating user by consider¬ 
ing both tie strength with the conflicting target user J26| , 
p 7) , |2§| and the group (relationship type) the conflicting 
target user belongs to fl~8| , |20) , [ |29| , which are known to 
play a crucial role for privacy management. For instance, 
Alice may decide she does not want to share a party 
photo with her mother, who has a very close relationship 
fo Alice (i.e., tie strength between Alice and her mother 
is high). This signals that not sharing the photo with 
her mother is very important to Alice, e.g., teens are 
known to hide from their parents in social media J30J. 
Another example would be a photo in which Alice is 
depicted together with some friends with a view to a 
monument that she wants to share with all her friends. 
If some of her friends that appear in the monument 
photo also want to include Alice's acquaintances, it is 
likely she would accept as she already wants to share 
with all her friends (whether close or distant). Thus, the 
mediator estimates the relative importance of a particular 


5.1.3 Estimating Willingness 

Finally, the mediator estimates the willingness to change 
the preferred action (granting/denying) for a conflicting 
target user accounting for both the sensitivity of the item 
and the relative importance of the conflicting target user 
as detailed above. If both sensitivity and relative impor¬ 
tance are the highest possible, then the willingness to 
change should be minimal. On the contrary, if both sen¬ 
sitivity and relative importance are the lowest possible, 
then the willingness to change should be maximal. Thus, 
we define willingness as a distance (in a 2-dimensional 
space) between the values of both item sensitivity and 
relative importance and the maximum possible values 
for both — as shown above, both measures are defined 
in tie strength units and have <5 as their maximum valued 
We chose for this the Canberra distance^ instead of 

6. The calculations and meaning for sensitivity and relative impor¬ 
tance are different and they may render different values for the same 
conflict, so they are considered as two different dimensions. 

7. Given two n-dimensional vectors p and q, the Canberra distance 

|3T1 is defined as: " | Pi - qi \ 




other distances like Euclidean, Manhattan, or Chebyshev 
because it is a relative and not absolute distance metric 
— so that it would work in the same way regardless of 
the 6 value being used. 

Definition 6: Given user n € N, her preferred privacy 
policy P n , the maximum tie strength value S, a conflicting 
target user c £ C, the willingness of user n to accept 
changing her most preferred action for c is a function 
W : IV x C -A [0,1] so that: 


W(n, c) 


1 

2 


I 6-I n (c) | 
5 + In (c) 


\s-s n |\ 
s + s n ) 


Note that the only difference from a 2-dimensional 
Canberra distance is that we divide by 2 the final result 
to normalise the willingness into a real value within the 
[0,1] interval for convenience to mode l co ncessions as 
shown in the following section (Section |5.2| ). 

Example 2: Suppose Example 1 and that we would like 
to obtain the willingness of Alice and Bob to accept 
changing their preferred actions for the conflicts found 
C = {Eve, Frank}. Suppose also that the tie strength be¬ 
tween users are those given in Table [l] Table [2] shows all 
the willingness values for each of the conflicts and pos¬ 
sible solutions. For instance, to calculate W(Alice, Eve), 
the mediator first calculates the item sensitivity and the 
relative importance of Eve as follows: 


‘5/\lice — 


1 

I b A lice | 


Taiic e(G) = 71iice(MyFriends) = 2 

Alice 


and 


-f Alice (Eve) = |7Aiice(MyFriends) — r(Alice, Eve)| = |2 - 1| = 1 


Therefore, the willingness is: 


W(Alice, Eve) 


1 f \S- /Alice (Eve) 1 I 6 - SMice I \ 

2 \ 6 + I Alice (Eve) <5 + ^Alice / 

1 / | 5- 1 | | 5 — 2 | \ 

2 'v 5 + 1 5 + 2 ) 



We can see in Table [2] that the mediator would estimate 
Alice's willingness to grant Eve access to the item higher 
than Alice's willingness to grant Frank access to the item 
— recall Alice's preferred action for both Eve and Frank 
is to deny access, so the mediator estimates willingness 
to grant access. The reason for the estimated willingness 
is that, though the item seems not very sensitive for 
Alice (S a = 2), Eve is closer to Alice than Frank, who 
seems not to be friend of Alice at all or be a very 
distant acquaintance because of a 0 tie strength. We can 
also see in Table [2] that the mediator would estimate 
Bob's willingness not to share with Eve to be lower than 
Bob's willingness not to share with Frank — recall Bob's 
preferred action for both Eve and Frank is to grant access, 
so the mediator estimates zvillingness to deny access. This 


is because Eve seems to have higher relative importance 
than Frank for Bob; i.e.. Eve seems to be best friends with 
Bob (high tie strength), so it is plausible to believe Bob 
would definitely want to share with his best friend and 
would be unwilling to accept not sharing with her. 



Charlie 

Dan 

Eve 

Frank 

Alice 

4 

2 

1 

0 

Bob 

3 

2 

5 

2 


TABLE 1 

Tie strength for Example 2, with 5 = 5 according to [23). 



Eve 

Frank 

Alice 

0.55 

0.43 

Bob 

0.34 

0.71 


TABLE 2 

Willingness for Example 2. 


5.2 Modelling Concessions 

As suggested by existing research 0.0 15], negoti¬ 
ations about privacy in social media are collaborative 
most of the time. That is, users would consider others' 
preferences when deciding to whom they share, so users 
may be willing to concede and change their initial most- 
preferred option. Being able to model the situations in 
which these concessions happen is of crucial importance 
to propose the best solution to the conflicts found — 
one that would be acceptable by all the users involved. 
To this aim, the mediator models users' decision-making 
processes during negotiations based on the willingness 
to change an action (defined above) as well as on find¬ 
ings about manual negotiations in this domain, like the 
ones described in [31, 0, [51. Users' decision making 
on continuous variables, like the willingness to change 
an action, is commonly modelled using fuzzy sets that 
characterize intervals of the continuous variables ]32) . 
Figure 15] depicts the intervals the mediator considers for 
the willingness to change an action, which can be low or 
higL0 Based on this, the following fuzzy IF-THEN rules 
to model concessions in different situations as described 
below according to the three principles stated above. 

I do not mind (IDM) rule 

Users are generally willing to accommodate others' shar¬ 
ing preferences [3], J4), so if they do not mind much 
about which action is finally applied, they will concede 
and accept applying the action that is not the most 
preferred for them. In particular, if the willingness to 
accept the action that is not the preferred one is high, 
then this may mean that the user would not mind much 
conceding and accepting that action for the conflicting 
target user. Assuming a negotiating user a £ N, and 

8. Note that by design, as we are dealing with privacy, we take a 
conservative approach and the cutting point of exactly 0.5 is considered 
low. 
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Fig. 2. Fuzzy sets low and high. 

a conflicting target user c £ C, this concession can be 
formalised as the following fuzzy IF-THEN rule: 

IF W(a,c) IS high THEN concede (IDM) 

Note that concede means that user a would accept 
changing her initial most preferred action to reach an 
agreement. Thus, users that would initially prefer grant¬ 
ing the particular conflicting target user access to the 
corresponding item would accept denying access, and 
users that would initially prefer denying the particular 
conflicting target user access to the corresponding item 
would accept granting access. For instance, Alice and 
Bob could be depicted in a photo with very low sen¬ 
sitivity — e.g., a photo in which both Alice and Bob are 
depicted with a view to a monument — and both of 
them could have defined privacy policies for the photo 
so that all their friends can see it. Suppose that Charlie 
is friend of Alice but is distant acquaintance of Bob, 
so according to Alice's privacy policy Charlie should 
be granted access to the photo but according to Bob's 
privacy policy Charlie should not be granted access to 
the photo. However, given that the photo is not sensitive 
for Bob, Bob would probably accept sharing also with 
Charlie and solve the conflict. 


IF W(a,c) IS low A v a [c] = 1 A 

3b £ N, W(6,c) IS low A Vb[c\ = 0 

THEN concede (IU) 

For instance, Alice, Bob, and Charlie are depicted 
together in a photo in which Bob is clearly inebriated. 
Initially, Alice and Charlie might very much like to share 
the photo with friends because Alice, Bob and Charlie 
could agree they had a very good time together that 
day in which the photo was taken. However, Alice and 
Charlie would probably understand the privacy implica¬ 
tions this may entail to Bob. Thus, if Bob opposes sharing 
the photo, Alice and Charlie would probably accept not 
sharing the photo. 

No concession (NC) rule 

For the other cases in which neither IDM nor IU ap¬ 
plies, then the mediator estimates that a negotiating 
user would not concede and would prefer to stick to 
her preferred action for the conflicting target user. For 
completeness, this can be formalised as the following 
fuzzy IF-THEN rule assuming a negotiating user a £ N, 
and a conflicting target user c £ C: 

IF W(a,c) IS low A 

(u<j[c]=0 V (flb £ N : W(b, c) IS low A v&fc] = 0)) 
THEN do not concede (NC) 

For instance, when the willingness to accept granting 
access to the item is low, users very much seek to 
avoid sharing the item pi) , because it can cause them 
a privacy breach; i.e., a sensitive item ends up shared 
with someone they would not like —e.g., in the example 
above. Bob would most probably not accept sharing 
the photo in which he appears inebriated with Alice 
and Charlie's friends because he might feel embarrassed 
about the photo and would prefer that no one sees it. 


I understand (IU) rule 

Even when the willingness to change an action is low 
for some of the negotiating users, users do not want 
to cause any deliberate harm to their friends and will 
normally listen to their objections [4j. That is, if the item 
may be detrimental to some of the negotiating users, 
so that they prefer denying a conflicting target user 
access and the willingness to grant access is low, then 
other users whose most preferred action for the target 
user is granting access and the willingness to accept 
denying is also low would concede and accept denying 
access to the conflicting target user. Indeed, considering 
others self-presentation online has been reported as a 
way of reaffirming and reciprocating user's relationships 
[4j, 126]. Assuming a negotiating user a £ N, and a 
conflicting target user c £ C, this concession can be 
formalised as the following fuzzy IF-THEN rule: 


5.3 Computing Conflict Resolution 

The mediator computes the solution for each conflict 
found by applying the concession rules defined above. 
The solution will be encoded into an action vector o, so 
that oft] contains the action for target user t. If t is not 
conflicting, the mediator assigns to this target user the 
action shared by all negotiation users. If t is conflicting, 
the mediator assigns to oft] its proposal to solve the 
conflict. To this aim, the mediator executes Algorithm 
[5] In particular, for each conflicting target user t: 

• If for all negotiating users, their willingness to 
accept changing their preferred action for the con¬ 
flicting targe t user is bigh, then, according to con¬ 
cession rule |IDM[ the mediator assumes that all 
users are willing to concede if need be, so that the 
final action to be applied for target user t can be 
both grating and denying. In order to select one 









of these two actions, the mediator runs a modified 
majority voting rule (Lines 3-6). In particular, this 
function selects the action that is most preferred 
by the majority of users. In case that there is a tie 
— i.e., the number of users who prefer granting 
and the number of users who prefer denying is 
the same, then the uploader is given an extra vote. 
Note that this function is only used if all the users 
have a high willingness to accept the action that is 
not the most preferred for them. That is, it does not 
really make much of a difference for them which 
action is finally taken, and all of them are willing 
to concede (change their preferred action) to reach 
an agreement. 

• If there are users whose willingness to accept 
changing their preferred action for the conflicting 
target user is low (Lines 8-14), then the mediator 
considers two cases: (i) if there are at least two 
users with low willingness and different p refe rred 
actions, then, according to concession rule |IU| the 
action to be taken should be denying the conflicting 
target use r acces s to the item in question; (ii) other¬ 
wise, rule IDM applies so that the users that have 
high willingness will concede and the user /users 
who has/have low willingness will determine the 
action that is finally chosen as the solution. 

The complexity of Algorithm |2]is O (| C x | iV | ' 2 ). That is, 
for each conflict, we need to know for each negotiating 
agent what is her willingness, which can be calculated 
in constant time as the sensitivity would only need 
to be calculated once for all conflicts, and the relative 
importance of each particular conflicting user can be 
obtained in constant time. Note that in the very worst 
case; i.e., all users are negotiating users and all users 
are at the same time conflicting, then the complexity of 
Algorithm [ 2 ] would be 0(\U\ 3 ). 



Eve 

Frank 

Alice 

HIGH 

LOW 

Bob 

LOW 

HIGH 


TABLE 3 

Fuzzy Memberships of willingness for Example 3. 


Alice and Bob in case they would accept changing their 
most preferred action for the conflicting target users 
C = {Eve,Frank}. We can see that for Alice and Eve 
IDM rule applies, so that the mediator assumes that Alice 
would concede (in this case, to accept granting Eve access 
to the item). As Bob has willingness LOW to change his 
preferred action for Eve, then the action suggested by 
this user would be taken to solve the conflict, and the 
computed solution would be to grant Eve access to the 
item. Regarding Frank, we have a similar situation. In 
this case, the willingness is HIGH for Bob, so that IDM 
rule applies and Bob would concede. As there is only 
one negotiating user (Alice) with willingness LOW, then 
the action suggested by this user is taken to solve the 
conflict. Therefore, the solution to the conflict would be 
to deny Frank access to the item. The resulting action 
vector for the item would be o = {1,1,1,0}; i.e., Charlie, 
Dan and Eve would be granted access to the item while 
Frank would be denied access to the item. 

6 User Study 

The aim of this section is to compare the performance of 
our proposed mechanism to other existing approaches in 
terms of what users would do themselves manually in 
a number of situations. To this aim, we conducted the 
user study described below. 

6.1 Method 


Algorithm 2 Conflict Resolution 
Input: N, P ni ,..., P n|N| , C 

Output: o 
1: for all c G C do 

2 : 

3: if Vn G N, W(n, c) is HIGH then 

4: o[c] «— modified_majority (P ni , ■ ■ ■, Pn\ m ,c) 

5: continue 

6: end if 

7: 

8: if 3a G N, W(a, c) is LOW then 

9: if 3b G N, W(b, c) is LOW A v a [c\ ^ vtjc] then 

10: o[c] <— 0 

11: else 

12: o[c] G- v a [c] 

13: end if 

14: end if 

15: end for 


Example 3: Suppose again Example 1 and consider 
the willingness values calculated in Example 2. Table [3] 
shows the fuzzy set membership for negotiating users 


We sought to explore situations with different degrees 
of sensitivity, as users' behaviour to resolve conflicts 
may be different depending on how sensitive items are. 
However, this would have involved participants sharing 
with us sensitive items of them. Participants sharing 
sensitive information in user studies about privacy in 
Social Media was already identified as problematic in 
related literature |22|, as participants would always seem 
reluctant to share sensitive information, which biases the 
study towards non-sensitive issues only. Indeed, this re¬ 
luctance to share information that may be sensitive with 
researchers during user surveys is not only associated 
with studies about privacy and Social Media, but it has 
also been extensively proven to happen in many other 
survey situations, including other scientific disciplines 
such as psychology |33|. A possible alternative to avoid 
this problem could be one in which participants just self- 
report how they behave when they experience a multi¬ 
party privacy conflict without asking for any sensitive 
information of them. However, the results obtained in 
that case may not match participants' actual behaviour 
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in practice, as previous research on privacy and Social 
Media showed that there is a dichotomy between users' 
stated privacy attitudes and their actual behaviour |34|. 
As a trade-off between these two alternatives, we chose 
to recreate situations in which participants would be 
immersed, following a similar approach to [ 351, maximis¬ 
ing actual behaviour elicitation while avoiding biasing 
the study to non-sensitive situations only. To this aim, 
we described a situation to the participants and asked 
them to immerse themselves in the situation by thinking 
they were a particular person in a particular photo that 
was to be shared through a Social Media site and that 
they were tagged in it, and participants showed very 
different individual privacy policies and concession deci¬ 
sions depending on the situation as detailed below. Each 
participant was presented with 10 different scenarios. 
Scenarios were different across participants as they were 
composed of: (i) one photo involving multiple users; and 
(ii) a conflict created based on the individual privacy 
policy the participant specified for the photo. As we 
had 50 participants (as detailed below), we were able to 
gather participant-specified data relative to 500 different 
scenarios. Photos referred to different situations (e.g., 
travelling, playing with friends, partying, dating, etc.) 
and were of different sensitivities a priori — though the 
participants were asked to specify their privacy policy for 
the photo as their first task for each scenario (as detailed 
below), which was different according to how sensitive 
each photo was for each participant. 


We developed a web application that presented the 
participants with the photos, stored the individual pri¬ 
vacy policy they selected for each photo, generated 
conflicts, and stored whether or not participants would 
concede during a negotiation in the scenarios presented. 
For each scenario, participants completed the following 
two tasks using the application: 


1) Definition of the Individual Privacy Policy. Each 
participant was asked to define her/his most pre¬ 
ferred privacy policy for each photo. 

2) Conflict and Concession Question. Once the par¬ 
ticipants defined their individual privacy policy 
for the photo, a conflict was generated. That is, we 
told the participants that one or more of the other 
people in the photo had a different most preferred 
action for one particular person, specifying the re¬ 
lationship type and strength the participant would 
have to this person. For instance, if the participant 
only wanted to share the photo with close friends, 
we told her/him that the other people in the photo 
wanted to share the photo with someone that 
was her/his acquaintance. Where multiple options 
were available to generate a conflict, we chose one 
of them randomly. Then, we asked participants 
whether or not they would concede and change 
their most preferred action for that person to solve 
the conflict with the other people depicted in the 
photo. 


6.2 Participants 

We recruited 50 participants via e-mail including univer¬ 
sity students, academic and non-academic staff, as well 
as other people not related to academia who volunteered 
to participate in the study. Participants completed the 
study online using the web application developed to that 
end (as detailed above). Before starting, the application 
showed the information to be gathered and participants 
needed to consent to continue. Table |4] summarises par¬ 
ticipants' demographics (gender, age, job), Social Media 
use (number of accounts in different Social Media sites, 
and frequency of use), and if they were concerned about 
their privacy in Social Media (Priv. concerned). 


Variable 

Distribution 

Gender 

female (42%), male (58%) 

Age 

18-24 (18%), 25-30 (36%), 31-40 (24%), 

41-50 (10%), 51-60 (6%), 60+(6%) 

Job 

Agriculture(4%), Arts(2%), Computers(26%), 
Design(6%),Education(16%),Engineering (10%), 
Management(4%),Media(2%), 
Research(14%),Sales(2%), Other(14%) 

# accounts 

0(4%),l(30%),2(18%),3(8%),4(12%),4+(28%) 

Freq. of use 

monthly- (18%), monthly (10%), 
weekly(10%), daily (26%), daily+(36%) 

Priv. concerned 

not much(36%), yes(26%), very much(36%) 


TABLE 4 

Participants’ demographics, Social Media use, and 
privacy concern. 


6.3 Results 

The results gathered through the web application were 
compared to the results that would have been obtained 
if our proposed mechanism was applied to the scenar¬ 
ios and if state-of-the-art automated voting mechanisms 
were applied. To this aim, we looked at the privacy pol¬ 
icy defined by the participant and the conflict generated 
by the application for each situation. This determined 
participants' most preferred action for the conflict (to 
be considered by our proposed mechanism and state- 
of-the-art voting mechanisms), as well as the willingness 
to change it (used to determine the concession rule our 
mechanism would apply in each case). In particular, we 
compared the results that would have been obtained 
applying our proposed mechanism to those that would 
have been obtained applying the general voting mecha¬ 
nisms used in state-of-ihe-art automated approaches: 

• Uploader overwrites (UO), the conflict is solved se¬ 
lecting the action preferred by the user that uploads 
the item. This is the strategy currently followed by 
most Social Media Sites (Facebook, etc.). 

• Majority voting (MV) |11], the conflict is solved 
selecting the action most preferred by the majority 
of the negotiating users. 

• Veto voting (VV) |2j, if there is one negotiating user 
whose most preferred action is denying access, the 
conflict is solved by denying access to the item. 
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Figure [3] shows the results for each of the above voting 
mechanisms as well as the results for our proposed 
mechanism for automated conflict resolution (labelled 
AR in the figure). In particular, it shows the percentage of 
times each mechanism matched participants' concession 
behaviour in the scenarios above. We can observe that 
our proposed mechanism AR clearly outperformed UO, 
MV, and VV. This is because these mechanisms lack 
enough flexibility to model actual user behaviour across 
different situations in this domain, as they only consider 
the most preferred action for each negotiating user as 
a vote without considering the particular situation. We 
can also observe that UO is very far from what users 
did themselves, which is mainly due to UO not being 
collaborative at all —i.e., the preferences of the other 
parties are not considered. MV performs a bit better 
than UO, but it is still far from what participants did 
themselves. This is mostly due to the situations in which 
even if the majority of users would like to share an 
item in the first instance, they could reconsider this if 
there is/are one/multiple user/(s) that would prefer not 
sharing because this could have privacy consequences 
for them. 

We can also see in Figure 3] that VV performs better 
than UO and MV. This result confirms that negotiating 
users are many times open to accept not sharing an item 
if this can cause privacy breaches to one of them — as 
also modelled in our proposed mechanism AR. Flowever, 
VV is too restrictive to be suitable for all situations. 
This is because there are also situations in which the 
user/s whose most preferred action is denying access 
may not mind granting access due to many reasons. In 
these cases, VV would suggest solutions that mean losing 
sharing opportunities. For instance, as stated earlier, 
Alice and Bob could be depicted in a photo with very low 
sensitivity — e.g., a photo in which both Alice and Bob 
are depicted with a view to a monument — and both of 
them could have defined privacy policies for the photo 
so that all their friends can see it. Suppose that Charlie 
is friend of Alice but is distant acquaintance of Bob, 
so according to Alice's privacy policy Charlie should 
be granted access to the photo but according to Bob's 
privacy policy Charlie should not be granted access to 
the item. Flowever, given that the photo is not sensitive 
for Bob, Bob would probably accept sharing also with 
Charlie. VV would not consider this concession, and the 
solution to solve the conflict would be not sharing with 
Charlie, so it would be a lost sharing opportunity and 
Alice may not even accept the solution. In contrast, our 
mechanism is able to adapt to the particular situation, 
being as restrictive as VV if needed but also considering 
the cases in which concessions about granting access are 
to happen —as the example above, in which the I do 
not mind (IDM) rule would have picked that Bob would 
concede, so that the final solution would be to share with 
Charlie (recall the item was not sensitive to Bob). 

We also sought to explore more closely how each of the 
concession rules in our proposed mechanism contributed 



Approach 

Fig. 3. Percentage of times each approach matched 
concession behaviour. 



Concession Rule AR would apply 

Fig. 4. Percentage of times each approach matched con¬ 
cession behaviour broken down by the concession rule 
AR would apply (IDM - I do not mind, IU - I understand, 
NC - No concession). 


to its performance as well as how state-of-the-art voting 
mechanisms would work in each case. Table H] shows for 
each concession rule the number of times that each rule 
would have been applied (# Instantiations) in the 500 
situations and Figure HI shows the performance of each 
approach broken downby the concession rule that would 
have been applied for each situation. We can observe 
that performance was similar across concession rules 
for our proposed mechanism AR; i.e., once a particular 
concession rule instantiated for a situation, it usually 
matched users' behaviour with respect to concessions. 
In particular, we observe that the three concession rules 
in our mechanism obtain better results than the state-of- 
art approaches. We can also observe that the performance 
of state-of-the-art voting mechanisms significantly varied 
according to the concession rule AR would apply. This 
confirms the fact that static ways of aggregating pref¬ 
erences (as those used in state-of-the-art voting mecha¬ 
nisms) are not desirable in this domain, because the con¬ 
cessions that may happen to resolve multi-party privacy 
conflicts clearly depend on the particular situation —as 
captured by the variables considered by AR's concession 














11 


rules; i.e., individual privacy preferences of each user, 
the sensitivity of the item to be shared, and the relative 
importance of the conflicting target user. 


Concession Rule 

# Instantiations 

I do not mind (IDM) 

172 

I understand (IU) 

111 

No concession (NC) 

217 

Total 

500 


TABLE 5 

Number of times each AR concession rule would have 
been applied. 

Finally, we sought to find any correlation that could 
exist between participants' data —demographics, social 
media use and privacy concern— and whether or not 
participants behaved according to the concession rule 
instantiated for each situation. To this aim, we calcu¬ 
lated the information gain (IG) — i.e., the reduction 
in entropy — that each variable produced on whether 
the participant followed the corresponding rule or not 
once it was instantiated, and the Pearson's correlation 
coefficient (CC). Table [6] summarises the values for each 
rule. IGs and CCs were negligible and not statistically 
significant (i.e., p > 0.05). Thus, users' characteristics 
like the privacy concern, age, gender, profession, studies, 
and social media use did not have any significant effect 
on whether participants followed a concession rule once 
the rule was instantiated for a particular situation. Note, 
however, the particular concession rule instantiated in 
each situation depended on the individual privacy policy 
of each user, the sensitivity of the item for the user, 
and the relative importance of the conflicting target 
user as stated above, which may vary from participant 
to participant. The important thing is that once a rule 
was instantiated, the variables above did not influence 
whether the particular instantiated rule was successful in 
matching user behaviour or not. In other words, users' 
characteristics (e.g., demographics, privacy concern, etc.) 
may determine the individual privacy policies users 
choose, which in turn determine the rules that are in¬ 
stantiated for a given situation; but users' characteristics 
do not determine whether users' concession behaviour 
matches that of the rule instantiated. This suggests the 
mechanism proposed in this paper captures general user 
behaviour and would be able to adapt to both different 
situations and users. 

7 Discussion 

The results of the user study suggest that our mechanism 
was able to match participants concession behaviour 
significantly more often than other existing approaches. 
The results also showed the benefits that an adaptive 
mechanism like the one we presented in this paper can 
provide with respect to more static ways of aggregating 
users individual privacy preferences, which are unable 
to adapt to different situations and were far from what 



Rule 1 

Rule 2 

Rule 3 


IG 

CC 

IG 

CC 

IG 

CC 

Age 

0 

0.04 

0 

0 

0 

-0.10 

Gender 

0.06 

0.14 

0.06 

0.13 

0 

-0.06 

Job 

0.08 

-0.18 

0.08 

-0.17 

0.04 

0.11 

Studies 

0 

0.18 

0 

0.16 

0 

0.017 

Freq. of use 

0.03 

0.05 

0.06 

0.08 

0.02 

-0.07 

# Accounts 

0 

0.14 

0 

0.16 

0 

-0.05 

Priv. Concern 

0 

0.13 

0 

0.16 

0 

0.04 


TABLE 6 

IGs and CCs for each rule based on participants’ 
demographics, social media use, and privacy concern. 


the users did themselves. Importantly, our mechanism is 
agnostic to and independent from how a user interface 
communicates the suggested solutions to users and gets 
feedback from them. First, privacy visualisation tools al¬ 
ready proved to be highly usable for social media could 
be used to show and / or modify the suggested solution, 
such as AudienceView |36| , PViz 1 37| , or the Expandable 
Grid p8) . Second, users could detine a default response 
to the solutions suggested, e.g., always accept the sug¬ 
gested solution without asking meF\ which, as shown in 
the evaluation (Section [6|, would actually match user 
behaviour very accurately. Other suitable d efau lts could 
be applied based on approaches like j39j, |40| , [41], or 
users' responses could be (semi-)automated based on the 
concession rules instantiated in each situation, using any 
of the machine-learning approaches shown to work very 
well in social media privacy settings 1181, |19|. 

We considered the individual privacy preferences of 
each individual involved in an item, sensitivity of the 
item and the relative importance of the target to de¬ 
termine a user's willingness to concede when a multi¬ 
party privacy conflict arises. Although accuracy results 
presented in the previous section are encouraging, this 
does not mean that there are no other factors that 
play a role to determine concessions. For instance, in e- 
commerce domains the strength of relationships among 
negotiators themselves is also known to influence to 
what extent negotiators are willing to concede during 
a negotiation 142). Future research should look into how 
other factors could help further increase the accuracy of 
the mechanism presented here. 

Finally, we focused on detecting and resolving conflicts 
once we know the parties that co-own an item and have 
their individual privacy policies for the item. Flowever, 
we are not proposing a method to automatically detect 
which items are co-owned and by whom they are co¬ 
owned. This is a different problem that is out of the 
scope of this paper. For example, Facebook researchers 
developed a face recognition method that correctly iden¬ 
tifies Facebook users in 97.35% of the times |43j. Also, 
it could be the case that a person does not have an 

9. This would be similar to the tagging mechanism of Facebook, 
which users can configure to be notified for confirmation about tags 
before they become active or to just go ahead without confirmation. 
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account in a given social media. In that case, her face 
could be preventively blurred |44) . Blurring faces may 
seriously diminish the utility ot sharing information in 
social media, but it could also be a good alternative if no 
agreement is reached between negotiators to ensure an 
individual (not collective) privacy baseline is achieved. 

8 Related Work 

Until now, very few researchers considered the problem 
of resolving conflicts in multi-party privacy management 
for Social Media. Wishart et al. [9j proposed a method to 
define privacy policies collaboratively. In their approach 
all of the parties involved can define strong and weak 
privacy preferences. However, this approach does not 
involve any automated method to solve conflicts, only 
some suggestions that the users might want to consider 
when they try to solve the conflicts manually. 

The work described in 110 ] is based on an incentive 
mechanism where users are rewarded with a quantity 
of numeraire each time they share information or ac¬ 
knowledge the presence of other users (called co-owners) 
who are affected by the same item. When there are con¬ 
flicts among co-owners' policies, users can spend their 
numeraire bidding for the policy that is best for them. 
Then, the use of the Clark Tax mechanism is suggested to 
obtain the highest bid. As stated in 112 ], users may have 
difficulties to comprehend the mechanism and specify 
appropriate bid values in auctions. Furthermore, users 
that earned much numeraire in the past will have more 
numeraire to spend it at will, potentially leading to 
unilateral decisions. 

In Jl2] users must manually define for each item: the 
privacy settings for the item, their trust to the other 
users, the sensitivity of the item, and how much pri¬ 
vacy risk they would like to take. These parameters 
are used to calculate what the authors call privacy risk 
and sharing loss on segments — they define segments 
as the set of conflicting target users among a set of 
negotiating users. Then, based on these measures all of 
the conflicting target users in each segment are assigned 
the same action. That is, all of the conflicts that a set 
of negotiating users have would be solved either by 
granting or denying access. Clearly, not considering that 
each individual conflict can have a different solution 
leads to outcomes that are far from what the users would 
be willing to accept. Moreover, due to how the privacy 
risk and sharing loss metrics are defined, solutions are 
likely to be the actions preferred by the majority of 
negotiating users, which can be many times far from the 
actual behaviour of users as shown in Section [6] 

There are also related approaches based on voting 
in the literature |2j, [111. In these cases, a third party 
collects the decision to be taken (granting/denying) for 
a particular friend from each party. Then, the authors 
propose to aggregate a final decision based on one of 
the voting rules already been described in Section [6] — 
i.e., uploader overwrites (UO), majority voting (MV), and 


veto voting (VV). These approaches are static, in the 
sense that they always aggregate individual votes in the 
same way by following the same voting rule. Thus, these 
approaches are unable to adapt to different situations 
that can motivate different concessions by the negotiating 
users, which makes these approaches unable to match 
the actual behaviour of users many times, as shown 
in Section |6| Only in [13], the authors consider that a 
different voting rule could be applied depending on the 
situation. However, it is the user who uploads/posts the 
item the one who chooses manually which one of the 
voting rules (UO,MV,VV) to apply for each item. The 
main problem with this — apart from having to specify 
the voting rule manually for every item — is that the 
choice of the voting rule to be applied is unilateral. That 
is, the user that uploads the item decides the rule to ap¬ 
ply without considering the rest of the negotiating users' 
preferences, which becomes a unilateral decision on a 
multi-party setting. Moreover, it might actually be quite 
difficult for the user that uploads the item to anticipate 
which voting rule would produce the best result without 
knowing the preferences of the other users. 

Finally, the problem of negotiating a solution to multi¬ 
party conflicts, has also been recently analysed from a 
game-theoretic point of view |05j, [46j. These proposals 
provide an elegant analytic framework proposing ne¬ 
gotiation protocols to study the problem and the so¬ 
lutions that can be obtained using well-known game- 
theoretic solution concepts such as the Nash equilibrium. 
However, as shown in [451, these proposals may not 
always work well in practice, as they do not capture the 
social idiosyncrasies considered by users in the real life 
when they face multi-party privacy conflicts, and users' 
behaviour is far from perfectly rational as assumed in 
these game-theoretic approaches — e.g., refer to §, 


9 Conclusions 

In this paper, we present the first mechanism for detect¬ 
ing and resolving privacy conflicts in Social Media that 
is based on current empirical evidence about privacy ne¬ 
gotiations and disclosure driving factors in Social Media 
and is able to adapt the conflict resolution strategy based 
on the particular situation. In a nutshell, the mediator 
firstly inspects the individual privacy policies of all users 
involved looking for possible conflicts. If conflicts are 
found, the mediator proposes a solution for each conflict 
according to a set of concession rules that model how 
users would actually negotiate in this domain. 

We conducted a user study comparing our mechanism 
to what users would do themselves in a number of situ¬ 
ations. The results obtained suggest that our mechanism 
was able to match participants' concession behaviour 
significantly more often than other existing approaches. 
This has the potential to reduce the amount of man¬ 
ual user interventions to achieve a satisfactory solution 
for all parties involved in multi-party privacy conflicts. 
Moreover, the study also showed the benefits that an 
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adaptive mechanism like the one we presented in this 
paper can provide with respect to more static ways of 
aggregating users' individual privacy preferences, which 
are unable to adapt to different situations and were far 
from what the users did themselves. 

The research presented in this paper is a stepping 
stone towards more automated resolution of conflicts in 
multi-party privacy management for Social Media. As 
future work, we plan to continue researching on what 
makes users concede or not when solving conflicts in this 
domain. In particular, we are also interested in exploring 
if there are other factors that could also play a role in 
this, like for instance if concessions may be influenced by 
previous negotiations with the same negotiating users or 
the relationships between negotiators themselves. 
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Appendix A 

Proof of the Principles 

Principle 1: Content should not be shared if it is detri¬ 
mental to one of the users involved 

Proof: We prove that solutions proposed by the 
conflict resolution algorithm (Algorithm pj follow this 
principle by contradiction. Suppose that Principle 1 does 
not hold, thus given a negotiating user a £ N who does 
not want to share an item with a conflicting target user 
c£C (i.e, v„ [c] = 0) and doing this is detrimental to her 
(i.e., W(a,c) is low), the solution to the conflict will not 
respect the decision made by a and it will be sharing 
the item (i.e., o[c] = 1). However, Algorithm [2] can only 
output value 1 for o[c] in two cases: 

1) As a result of a modified majority (line 4). How¬ 
ever, this is only executed when there is not a user 


u £ N such that W(u, c ) is low, which contradicts 
our assumption. 

2) As a direct assignation from a user who prefers 
to share the item (line 12). However, this is only 
executed when there is not another user u £ N 
such that v u \c} = 0 and W(u,c) is low which 
contradicts our assumption. □ 

Principle 2: If an item is not detrimental to any of the 
users involved and there is any user for whom sharing 
is important, the item should be shared. 

Proof: We prove that solutions proposed by the 
conflict resolution algorithm (Algorithm El follow this 
principle by contradiction. Suppose that Principle 2 does 
not hold, thus given a negotiating user a £ N who wants 
to share an item with a conflicting target user c £ C (i.e, 
i'a[c] = 1) because doing this is important to her (i.e., 
W(a, c ) is low), and that there does not exist a negotiating 
user b £ N who does not want to share the item with 
c (i.e., xib[c] = 0) and the item is detrimental to her (i.e., 
W(b , c) is low), the solution to the conflict will not respect 
the decision made by a and it will be not sharing the item 
(i.e., o[c] = 0). However, Algorithm [2] can only output 
value 0 for o[c] in three cases: 

1) As a result of a modified majority (line 4). How¬ 
ever, this is only executed when there is not a user 
u £ N such that W(u , c) is low, which contradicts 
our assumption. 

2) As a direct assignation of not sharing (line 10). 
However, this is only executed when there is 
another user u £ N such that v u [c\ = 0 and yV(u, c) 
is low which contradicts our assumption. 

3) As a direct assignation from a user who prefers not 

to share the item (line 12). However, this would 
only be executed when there exists another user 
u £ N such that v u [c\ = 0 and W(u, c) is low which 
contradicts our assumption. q 

Finally, the proof for Principle 3 is omitted because of 
lack of space, but it is trivial to prove that for all other 
cases not considered in Principles 1 and 2, the modified 
majority voting will aggregate all users' preferences. 


